Web site guidelines

Lock down that server

Here is a summary of the 'Checklist for Securing the Web Server Operating System' from NIST Special Publication 800-44, 'Guidelines on Securing Public Web Servers.'

Patch and upgrade operating system.

Remove or disable unnecessary services and applications.

Configure operating system user authentication.

Configure resource controls appropriately.

Install and configure additional security controls.

Test the operating system's security.

For more on the guidelines, go to GCN.com GCN.com/850.

Setting up a public Web page for your agency or department? Take a look at a newly revised set of recommendations from the National Institute of Standards and Technology, 'Guidelines on Se- curing Public Web Servers' (Special Publication 800-44).

The second draft, researched and published by the computer security division at NIST's Information Technology Laboratory, is intended to help government organizations install, configure and maintain secure public Web servers. It replaces NIST's first version of the guidelines, published in 2002.

NIST researchers Miles Tracy, Wayne Jansen, Karen Scarfone and Theodore Winograd compiled the second edition of the report.

In revising the first edition, the NIST team revamped some of the original material, deleted some outdated material and added new material, Jansen said. New sections were added to incorporate recent changes in technology, including personal identity information, virtual machine platforms and current attacks.

'We used the previous version of the publication as a starting point, identifying topics that needed to be added and major areas that needed to be updated,' Jansen said in an e-mail. 'The previous version was marked up accordingly and work proceeded from there. A draft of the revised publication was posted for public comment, and we used the feedback from that process to prepare the final version.'

The NIST researchers found that the kinds of hacking attacks that Web servers can face is even broader in scope than in 2002. For instance, the report includes material on the emerging practice of pharming, 'where Domain Name System (DNS) servers or users' host files are compromised to redirect users to a malicious site in place of the legitimate site,' the report states. The guide also includes material on phishing, SQL injection and cross-site scripting.

For those setting up their first Web server, Jansen recommends starting with the third chapter, which is about planning and managing Web servers. He said an administrator should then proceed to chapters four through six, which discuss the installation and configuration of the operating system and Web server and how to secure the Web content. Those digging deeper in the later chapters will find more material on securing and administering a Web server.

For a copy of the report, visit GCN.com/850. In addition, NIST recently issued a number of other documents of potential value to IT administrators, including a revised information security performance measurement guide (GCN.com/851), a draft of a revised security incident handling guide (GCN.com/852) and a new draft of an information system security reference model (GCN.com/853).

About the Authors

Joab Jackson is the senior technology editor for Government Computer News.